A high-severity Cross-Site Request Forgery (CSRF) vulnerability, tracked as CVE-2020–8417, exists in a popular WordPress plugin called Code Snippets, rendering over 200,000 websites vulnerable to site takeover.
In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps.
What is the Code Snippets Vulnerability?
The National Vulnerability Database(NVD) describes CVE-2020–8417 as,
The Code Snippets plugin before 2.14.0 for WordPress allows CSRF because of the lack of a Referer check on the import menu.
I will explain this in 3 simple steps:
- The plugin allowed users to add snippets of PHP code to extend the functionality of a WordPress-powered website, without adding custom snippets to their theme’s
- Code Snippets offers an import menu for importing code onto the website. However, due to insufficient validation of the HTTP
Refererheader on the import menu, the plugin’s import function lacked CSRF protection.
- Without this protection, an attacker could craft a malicious request to trick an administrator into infecting their own site.
Therefore, CVE-2020-8417 allows anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability.
Proof Of Concept
Note: I cannot publicly disclose the technical details/exploit because the official PoC is yet to be released; specifically on 12th Feb 2020 – to provider users the ample time to update.
Here, I am going to do a local setup of WordPress to show a Proof-Of-Concept exploitation. I will use Code Snippets v2.13.3 to show the vulnerability since the bug has been patched in v2.14.0.
We download, import, install, and then activate the plugin.
To better understand the risk factor associated with the bug, I have removed all default code snippets and there is only a single administrator user — “admin” present currently.
Upon successful exploitation of this vulnerability, we will have one new code snippet titled “Attacker PoC” and we will have one new user added named “attacker” with administrative privileges.
Say, you are
admin, reviewing comments and a user has made a comment on your site saying they loved your content and would like you to check out theirs. Pretty innocent, right?
This way, a remote attacker(
testuser) can trick the victim(
admin) to visit a specially crafted web page and perform arbitrary actions on behalf of the victim(
admin) on the vulnerable website, leading to remote code execution.
Here, as soon as victim (
I would like to clarify that,
Exploiting this vulnerability does not require that the target website has comments enabled — we just used this as our method of demonstration to show one of many ways an attacker could exploit this vulnerability (and how easily disguised it could be). There are numerous ways this could be exploited, but in the context of WordPress, it usually stems from a target administrator clicking on something like a link in a comment or from an email and being concurrently logged into the target WordPress site. The target administrator does not have to click on something like “Submit Request” from the malicious site in order for there to be a successful exploit, usually just clicking on a link that takes you to a malicious site is enough for compromise as a forged request can be sent in the background.
With remote code execution vulnerabilities, exploit possibilities are endless. An attacker could create a new administrative account on the site, exfiltrate sensitive information, infect site users, and much more.
How to resolve the Code Snippets Vulnerability?
This is very simple. Navigate to your WordPress plugin section and update the plugin to the newest version — v2.14.0. We would also recommend scanning and monitoring your WordPress website with WPSec.
Vulnerabilities similar to this are found often. As such we recommend all users to keep on top of updates either by updating manually, or by activating automatic updates.
Write up by